StigData/Processed/Windows-All-IE11-1.15.xml
<DISASTIG id="IE_11_STIG" version="1.15" created="8/16/2018"> <RegistryRule dscresourcemodule="PSDesiredStateConfiguration"> <Rule id="V-46473" severity="medium" conversionstatus="pass" title="DTBI014-IE11-TLS setting" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Advanced Page >> "Turn off Encryption Support" must be "Enabled". Verify the only options selected are "Use TLS 1.1" and "Use TLS 1.2" from the drop-down box. Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings If the value for "SecureProtocols" is not REG_DWORD = "2560", this is a finding.</RawString> <ValueData>2560</ValueData> <ValueName>SecureProtocols</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46475" severity="medium" conversionstatus="pass" title="DTBI015-IE11-Warning of certificate mismatch" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page 'Turn on certificate address mismatch warning' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Criteria: If the value "WarnOnBadCertRecving" is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>WarnOnBadCertRecving</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46477" severity="low" conversionstatus="pass" title="DTBI018-IE11-Publishers Certificate Revocation" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the system is on the SIPRNet, this requirement is NA. Open Internet Explorer. From the menu bar, select "Tools". From the "Tools" drop-down menu, select "Internet Options". From the "Internet Options" window, select the "Advanced" tab, from the "Advanced" tab window, scroll down to the "Security" category, and verify the "Check for publisher's certificate revocation" box is selected. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Criteria If the value "State" is "REG_DWORD = 23C00", this is not a finding.</RawString> <ValueData>23C00</ValueData> <ValueName>State</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46481" severity="medium" conversionstatus="pass" title="DTBI022-IE11-Download signed ActiveX - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Download signed ActiveX controls' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1001" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1001</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46483" severity="medium" conversionstatus="pass" title="DTBI023-IE11-Download unsigned ActiveX - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Download unsigned ActiveX controls' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1004" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1004</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46501" severity="medium" conversionstatus="pass" title="DTBI024-IE11-Initialize and script ActiveX - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Initialize and script ActiveX controls not marked as safe' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1201" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1201</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46505" severity="medium" conversionstatus="pass" title="DTBI030-IE11-Font download control - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Allow font downloads' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1604" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1604</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46507" severity="medium" conversionstatus="pass" title="DTBI031-IE11-Java Permission - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Java permissions' must be 'Enabled', and 'Disable Java' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1C00" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>1C00</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46509" severity="medium" conversionstatus="pass" title="DTBI032-IE11-Access data sources across domains - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Access data sources across domains' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1406" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1406</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46511" severity="medium" conversionstatus="pass" title="DTBI036-IE11-Drag and drop or copy and paste - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Allow drag and drop or copy and paste files' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value for "1802" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1802</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46513" severity="medium" conversionstatus="pass" title="DTBI038-IE11-Programs and files in IFRAME - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Launching applications and files in an IFRAME' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1804" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1804</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46515" severity="medium" conversionstatus="pass" title="DTBI039-IE11-Navigating across domains - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Navigate windows and frames across different domains' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3 Criteria: If the value "1607" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1607</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46517" severity="medium" conversionstatus="pass" title="DTBI042-IE11-Userdata persistence - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Userdata persistence' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1606" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1606</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46521" severity="medium" conversionstatus="pass" title="DTBI044-IE11-Paste operations via script - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Allow cut, copy or paste operations from the clipboard via script' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1407" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1407</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46523" severity="medium" conversionstatus="pass" title="DTBI046-IE11-User Authentication-Logon - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Logon options' must be 'Enabled', and 'Prompt for user name and password' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1A00" is REG_DWORD = 65536 (decimal), this is not a finding.</RawString> <ValueData>65536</ValueData> <ValueName>1A00</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46525" severity="medium" conversionstatus="pass" title="DTBI061-IE11-Java Permission - Intranet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Intranet Zone -> 'Java permissions' must be 'Enabled', and 'High Safety' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value "1C00" is REG_DWORD = 65536, (Decimal), this is not a finding.</RawString> <ValueData>65536</ValueData> <ValueName>1C00</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46543" severity="medium" conversionstatus="pass" title="DTBI091-IE11-Java Permission - Trusted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Trusted Sites Zone -> 'Java permissions' must be 'Enabled', and 'High Safety' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value "1C00" is REG_DWORD = 65536, (Decimal), this is not a finding.</RawString> <ValueData>65536</ValueData> <ValueName>1C00</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46545" severity="medium" conversionstatus="pass" title="DTBI1000-IE11-Content from different domains within windows - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel-> Security Page-> Internet Zone 'Enable dragging of content from different domains within a window' must be 'Enabled', and 'Disabled' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2708" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>2708</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46547" severity="medium" conversionstatus="pass" title="DTBI1005-IE11-Content from different domains across windows - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel-> Security Page-> Restricted Sites Zone 'Enable dragging of content from different domains across windows' must be 'Enabled', and 'Disabled' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2709" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>2709</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46549" severity="medium" conversionstatus="pass" title="DTBI1010-IE11-Restrict ActiveX Install - Explorer" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Restrict ActiveX Install -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL Criteria: If the value "explorer.exe" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>explorer.exe</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46553" severity="medium" conversionstatus="pass" title="DTBI1020-IE11-Restrict ActiveX Install - iexplore" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Restrict ActiveX Install -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>iexplore.exe</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46555" severity="medium" conversionstatus="pass" title="DTBI1025-IE11-Content from different domains within windows - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel-> Security Page-> Restricted Sites Zone 'Enable dragging of content from different domains within a window' must be 'Enabled', and 'Disabled' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2708" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>2708</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46573" severity="medium" conversionstatus="pass" title="DTBI112-IE11-Download signed ActiveX - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Download signed ActiveX controls' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1001" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1001</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46575" severity="medium" conversionstatus="pass" title="DTBI113-IE11-Download unsigned ActiveX - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Download unsigned ActiveX controls' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1004" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1004</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46577" severity="medium" conversionstatus="pass" title="DTBI114-IE11-Initialize and script ActiveX - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Initialize and script ActiveX controls not marked as safe' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1201" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1201</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46579" severity="medium" conversionstatus="pass" title="DTBI115-IE11-ActiveX control and plugins - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Run ActiveX controls and plugins' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1200" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1200</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46581" severity="medium" conversionstatus="pass" title="DTBI116-IE11-ActiveX controls marked safe - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Script ActiveX controls marked safe for scripting' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1405" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1405</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46583" severity="medium" conversionstatus="pass" title="DTBI119-IE11-File download control - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow file downloads' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1803" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1803</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46585" severity="medium" conversionstatus="pass" title="DTBI120-IE11-Font download control - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow font downloads' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1604" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1604</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46587" severity="medium" conversionstatus="pass" title="DTBI121-IE11-Java Permission - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Java permissions' must be 'Enabled', and 'Disable Java' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1C00" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>1C00</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46589" severity="medium" conversionstatus="pass" title="DTBI122-IE11-Access data sources across domains - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Access data sources across domains' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1406" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1406</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46591" severity="medium" conversionstatus="pass" title="DTBI123-IE11-META REFRESH - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow META REFRESH' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1608" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1608</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46593" severity="medium" conversionstatus="pass" title="DTBI126-IE11-Drag and drop or copy and paste - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow drag and drop or copy and paste files' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1802" is REG_DWORD=3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1802</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46597" severity="medium" conversionstatus="pass" title="DTBI128-IE11-Programs and files in IFRAME - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Launching applications and files in an IFRAME' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1804" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1804</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46599" severity="medium" conversionstatus="pass" title="DTBI129-IE11-Navigating across domains - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Navigate windows and frames across different domains' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1607" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1607</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46601" severity="medium" conversionstatus="pass" title="DTBI132-IE11-Userdata persistence - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Userdata persistence' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1606" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1606</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46603" severity="medium" conversionstatus="pass" title="DTBI133-IE11-Active scripting - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow active scripting' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1400" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1400</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46605" severity="medium" conversionstatus="pass" title="DTBI134-IE11-Paste operations via script - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow cut, copy or paste operations from the clipboard via script' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1407" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1407</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46607" severity="medium" conversionstatus="pass" title="DTBI136-IE11-User Authentication-Logon - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Logon options' must be 'Enabled', and 'Anonymous logon' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1A00" is REG_DWORD = 196608 (decimal), this is not a finding.</RawString> <ValueData>196608</ValueData> <ValueName>1A00</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46609.a" severity="medium" conversionstatus="pass" title="DTBI300-IE11-Configuring History lists" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Delete Browsing History -> 'Disable Configuring History' must be 'Enabled', and '40' entered in 'Days to keep pages in History'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel Criteria: If the value "History" is REG_DWORD = 1, this is not a finding. </RawString> <ValueData>1</ValueData> <ValueName>History</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46609.b" severity="medium" conversionstatus="pass" title="DTBI300-IE11-Configuring History lists" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString> Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History Criteria: If the value "DaysToKeep" is REG_DWORD = 40 (decimal), this is not a finding.</RawString> <ValueData>40</ValueData> <ValueName>DaysToKeep</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46615" severity="medium" conversionstatus="pass" title="DTBI318-IE11-Addition and deletion of sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer 'Security Zones: Do not allow users to add/delete sites' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Criteria: If the value "Security_zones_map_edit" is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>Security_zones_map_edit</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46617" severity="medium" conversionstatus="pass" title="DTBI319-IE11-Changing of policies" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer 'Security Zones: Do not allow users to change policies' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Criteria: If the value "Security_options_edit" is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>Security_options_edit</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46619" severity="medium" conversionstatus="pass" title="DTBI320-IE11-Security zone machine settings" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer 'Security Zones: Use only machine settings' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Criteria: If the value "Security_HKLM_only" is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>Security_HKLM_only</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46621" severity="medium" conversionstatus="pass" title="DTBI325-IE11-Security settings check feature" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> 'Turn off the Security Settings Check feature' must be 'Disabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Security Criteria: If the value "DisableSecuritySettingsCheck" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>DisableSecuritySettingsCheck</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46625" severity="medium" conversionstatus="pass" title="DTBI350-IE11-Software with invalid signatures" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Note: Some legitimate software and controls may have an invalid signature. You should carefully test such software in isolation before it is allowed to be used on an organization's network. The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> 'Allow software to run or install even if the signature is invalid' must be 'Disabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Download Criteria: If the value "RunInvalidSignatures" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>RunInvalidSignatures</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46629" severity="low" conversionstatus="pass" title="DTBI365-IE11-Check for server certificate revocation" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> 'Check for server certificate revocation' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Criteria: If the value "CertificateRevocation" is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>CertificateRevocation</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46633" severity="medium" conversionstatus="pass" title="DTBI370-IE11-Signature checking on downloaded programs" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> 'Check for signatures on downloaded programs' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Download Criteria: If the value "CheckExeSignatures" is REG_SZ = yes, this is not a finding.</RawString> <ValueData>yes</ValueData> <ValueName>CheckExeSignatures</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46635" severity="medium" conversionstatus="pass" title="DTBI375-IE11-Network paths (UNCs) for Intranet sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> 'Intranet Sites: Include all network paths (UNCs)' must be 'Disabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Criteria: If the value "UNCAsIntranet" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>UNCAsIntranet</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46637" severity="medium" conversionstatus="pass" title="DTBI385-IE11-Script initiated windows - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Allow script-initiated windows without size or position constraints' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2102" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>2102</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46639" severity="medium" conversionstatus="pass" title="DTBI390-IE11-Script initiated windows - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow script-initiated windows without size or position constraints' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2102" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>2102</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46641" severity="medium" conversionstatus="pass" title="DTBI395-IE11-Scriptlets - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Allow Scriptlets' must be 'Enabled', and 'Disable' from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1209" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1209</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46643" severity="medium" conversionstatus="pass" title="DTBI415-IE11-Prompt for file downloads - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Automatic prompting for file downloads' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2200" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>2200</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46645" severity="medium" conversionstatus="pass" title="DTBI425-IE11-Java permission - Local Machine" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Local Machine Zone -> 'Java permissions' must be 'Enabled', and 'Disable Java' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following keys: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Criteria: If the value "1C00" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>1C00</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46647" severity="medium" conversionstatus="pass" title="DTBI430-IE11-Java permission - Locked Down Local Machine" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Locked-Down Local Machine Zone -> 'Java permissions' must be 'Enabled', and 'Disable Java' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following keys: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 Criteria: If the value "1C00" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>1C00</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46649" severity="medium" conversionstatus="pass" title="DTBI435-IE11-Java permission - Locked Down Intranet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Locked-Down Intranet Zone -> 'Java permissions' must be 'Enabled', and 'Disable Java' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following keys: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 Criteria: If the value" 1C00" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>1C00</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46653" severity="medium" conversionstatus="pass" title="DTBI440-IE11-Java permission - Locked Down Trusted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Locked-Down Trusted Sites Zone -> 'Java permissions' must be 'Enabled', and 'Disable Java' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following keys: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 Criteria: If the value "1C00" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>1C00</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46663" severity="medium" conversionstatus="pass" title="DTBI450-IE11-Java permission - Locked Down Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Locked-Down Restricted Sites Zone -> 'Java permissions' must be 'Enabled', and 'Disable Java' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following keys: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 Criteria: If the value "1C00" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>1C00</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46665" severity="medium" conversionstatus="pass" title="DTBI455-IE11-Loading of XAML files - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Allow loading of XAML files' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2402" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>2402</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46669" severity="medium" conversionstatus="pass" title="DTBI460-IE11-Loading of XAML files - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow loading of XAML files' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2402" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>2402</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46681" severity="medium" conversionstatus="pass" title="DTBI485-IE11-Protected Mode - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Turn on Protected Mode' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2500" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>2500</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46685" severity="medium" conversionstatus="pass" title="DTBI490-IE11-Protected Mode - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Turn on Protected Mode' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2500" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>2500</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46689" severity="medium" conversionstatus="pass" title="DTBI495-IE11-Pop-up blocker - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Use Pop-up Blocker' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1809" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>1809</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46691" severity="medium" conversionstatus="pass" title="DTBI500-IE11-Pop-up Blocker - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Use Pop-up Blocker' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1809" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>1809</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46693" severity="medium" conversionstatus="pass" title="DTBI515-IE11-Less privileged web content - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Web sites in less privileged Web content zones can navigate into this zone' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2101" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>2101</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46695" severity="medium" conversionstatus="pass" title="DTBI520-IE11-Less privileged web content - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Web sites in less privileged Web content zones can navigate into this zone' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2101" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>2101</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46701" severity="medium" conversionstatus="pass" title="DTBI575-IE11-Binary and script behaviors - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow binary and script behaviors' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2000" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>2000</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46705" severity="medium" conversionstatus="pass" title="DTBI580-IE11-Prompt for file downloads - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Automatic prompting for file downloads' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2200" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>2200</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46709" severity="medium" conversionstatus="pass" title="DTBI590-IE11-MIME handling - Reserved" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Consistent Mime Handling -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>(Reserved)</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46711" severity="medium" conversionstatus="pass" title="DTBI592-IE11-MIME handling - Explorer" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Consistent Mime Handling -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Criteria: If the value "explorer.exe" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>explorer.exe</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46713" severity="medium" conversionstatus="pass" title="DTBI594-IE11-MIME handling - iexplore" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Consistent Mime Handling -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>iexplore.exe</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46715" severity="medium" conversionstatus="pass" title="DTBI595-IE11-MIME sniffing - Reserved" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Mime Sniffing Safety Feature -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>(Reserved)</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46717" severity="medium" conversionstatus="pass" title="DTBI596-IE11-MIME sniffing - Explorer" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Mime Sniffing Safety Feature -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Criteria: If the value "explorer.exe" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>explorer.exe</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46719" severity="medium" conversionstatus="pass" title="DTBI597-IE11-MIME sniffing - iexplore" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Mime Sniffing Safety Feature -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>iexplore.exe</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46721" severity="medium" conversionstatus="pass" title="DTBI599-IE11-MK Protocol - Reserved" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> MK Protocol Security Restriction -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>(Reserved)</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46723" severity="medium" conversionstatus="pass" title="DTBI600-IE11-MK Protocol - Explorer" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> MK Protocol Security Restriction -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL Criteria: If the value "explorer.exe" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>explorer.exe</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46725" severity="medium" conversionstatus="pass" title="DTBI605-IE11-MK protocol - iexplore" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> MK Protocol Security Restriction -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>iexplore.exe</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46727" severity="medium" conversionstatus="pass" title="DTBI610-IE11-Zone elevation - Reserved" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Protection From Zone Elevation -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>(Reserved)</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46729" severity="medium" conversionstatus="pass" title="DTBI612-IE11-Zone elevation - Explorer" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Protection From Zone Elevation -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION Criteria: If the value "explorer.exe" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>explorer.exe</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46731" severity="medium" conversionstatus="pass" title="DTBI614-IE11-Zone elevation - iexplore" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Protection From Zone Elevation -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>iexplore.exe</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46733" severity="medium" conversionstatus="pass" title="DTBI630-IE11-Restrict File Download- Reserved" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Restrict File Download -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>(Reserved)</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46779" severity="medium" conversionstatus="pass" title="DTBI635-IE11-Restrict File download - Explorer" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Restrict File Download -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD Criteria: If the value "explorer.exe" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>explorer.exe</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46781" severity="medium" conversionstatus="pass" title="DTBI640-IE11-Restrict File download - iexplore" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Restrict File Download -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>iexplore.exe</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46787" severity="medium" conversionstatus="pass" title="DTBI645-IE11-Restricting pop-up windows - Reserved" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Scripted Window Security Restrictions -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>(Reserved)</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46789" severity="medium" conversionstatus="pass" title="DTBI647-IE11-Restricting pop-up windows - Explorer" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Scripted Window Security Restrictions -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS Criteria: If the value "explorer.exe is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>explorer.exe</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46791" severity="medium" conversionstatus="pass" title="DTBI649-IE11-Restricing pop-up windows - iexplore" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Scripted Window Security Restrictions -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>iexplore.exe</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46797" severity="medium" conversionstatus="pass" title="DTBI650-IE11-.NET w/Authenticode unsigned - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Run .NET Framework-reliant components not signed with Authenticode' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2004" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>2004</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46799" severity="medium" conversionstatus="pass" title="DTBI655-IE11-.NET w/Authenticode signed - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Run .NET Framework-reliant components signed with Authenticode' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2001" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>2001</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46801" severity="medium" conversionstatus="pass" title="DTBI670-IE11-Scripting of Java applets - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Scripting of Java applets' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1402" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1402</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46807" severity="medium" conversionstatus="pass" title="DTBI690-IE11-AutoComplete for forms" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> 'Disable AutoComplete for forms' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value "Use FormSuggest" is REG_SZ = no, this is not a finding.</RawString> <ValueData>no</ValueData> <ValueName>Use FormSuggest</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46811" severity="medium" conversionstatus="pass" title="DTBI715-IE11-Crash Detection" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> 'Turn off Crash Detection' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key:HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions Criteria: If the value "NoCrashDetection" is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>NoCrashDetection</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46815.a" severity="medium" conversionstatus="pass" title="DTBI725-IE11-Auto-complete feature for user names and passwords" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> 'Turn on the auto-complete feature for user names and passwords on forms' must be 'Disabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value "FormSuggest Passwords" is REG_SZ = 'no', this is not a finding. </RawString> <ValueData>no</ValueData> <ValueName>FormSuggest Passwords</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46815.b" severity="medium" conversionstatus="pass" title="DTBI725-IE11-Auto-complete feature for user names and passwords" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString> Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value "FormSuggest PW Ask" is REG_SZ = 'no', this is not a finding.</RawString> <ValueData>no</ValueData> <ValueName>FormSuggest PW Ask</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46819" severity="medium" conversionstatus="pass" title="DTBI740-IE11-Managing SmartScreen Filter" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the system is on the SIPRNet, this requirement is NA. The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> "Prevent Managing SmartScreen Filter" must be "Enabled", and "On" selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter Criteria: If the value "EnabledV9" is "REG_DWORD = 1", this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>EnabledV9</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46829" severity="medium" conversionstatus="pass" title="DTBI760-IE11-Browser history on exit" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Privacy</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Delete Browsing History -> 'Allow deleting browsing history on exit' must be 'Disabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy Criteria: If the value "ClearBrowsingHistoryOnExit" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>ClearBrowsingHistoryOnExit</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46841" severity="medium" conversionstatus="pass" title="DTBI770-IE11-Website visit history" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Privacy</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Delete Browsing History -> 'Prevent Deleting Web sites that the User has Visited' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy Criteria: If the value "CleanHistory" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>CleanHistory</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46847" severity="medium" conversionstatus="pass" title="DTBI780-IE11-InPrivate Browsing" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Privacy</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Privacy -> 'Turn off InPrivate Browsing' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy Criteria: If the value "EnableInPrivateBrowsing" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>EnableInPrivateBrowsing</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46849" severity="medium" conversionstatus="pass" title="DTBI800-IE11-Scripting of WebBrowser control - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Allow scripting of Internet Explorer WebBrowser controls' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1206" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1206</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46853" severity="medium" conversionstatus="pass" title="DTBI810-IE11-Local directory paths - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Include local path when user is uploading files to a server' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "160A" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>160A</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46857" severity="medium" conversionstatus="pass" title="DTBI815-IE11-Notification Bars - Reserved" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features-> Notification Bar-> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>(Reserved)</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46859" severity="medium" conversionstatus="pass" title="DTBI820-IE11-Security warning for unsafe files - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Show security warning for potentially unsafe files' must be 'Enabled', and 'Prompt' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1806" is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>1806</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46861" severity="medium" conversionstatus="pass" title="DTBI825-IE11-Notification Bars - Explorer" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features-> Notification Bar-> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Criteria: If the value "explorer.exe" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>explorer.exe</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46865" severity="medium" conversionstatus="pass" title="DTBI830-IE11-ActiveX controls without prompt - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> ' Allow only approved domains to use ActiveX controls without prompt' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "120b" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>120b</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46869" severity="medium" conversionstatus="pass" title="DTBI835-IE11-Notification Bars - iexplore" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features-> Notification Bar-> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>iexplore.exe</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46879" severity="medium" conversionstatus="pass" title="DTBI840-IE11-Cross-Site Scripting Filter- Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Turn on Cross-Site Scripting Filter' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1409" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>1409</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46883" severity="medium" conversionstatus="pass" title="DTBI850-IE11-Scripting of WebBrowser Control - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow scripting of Internet Explorer WebBrowser controls' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1206" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1206</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46885" severity="medium" conversionstatus="pass" title="DTBI860-IE11-Local directory paths - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Include local path when user is uploading files to a server' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "160A" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>160A</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46889" severity="medium" conversionstatus="pass" title="DTBI870-IE11-Security Warning for unsafe files - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Show security warning for potentially unsafe files' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1806" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1806</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46893" severity="medium" conversionstatus="pass" title="DTBI880-IE11-ActiveX controls without prompt - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow only approved domains to use ActiveX controls without prompt' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "120b" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>120b</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46895" severity="medium" conversionstatus="pass" title="DTBI890-IE11-Cross-Site Scripting Filter - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Turn on Cross-Site Scripting Filter' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1409" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>1409</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46897" severity="medium" conversionstatus="pass" title="DTBI900-IE11-Restrict ActiveX Install - Reserved" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Restrict ActiveX Install -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>(Reserved)</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46903" severity="medium" conversionstatus="pass" title="DTBI910-IE11-Status bar updates via script - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone 'Allow updates to status bar via script' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2103" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>2103</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46907" severity="medium" conversionstatus="pass" title="DTBI920-IE11-.NET w/Authenticode unsigned - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone 'Run .NET Framework-reliant components not signed with Authenticode' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2004" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>2004</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46921" severity="medium" conversionstatus="pass" title="DTBI930-IE11-.NET w/Authenticode signed - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone 'Run .NET Framework-reliant components signed with Authenticode' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2001" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>2001</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46927" severity="medium" conversionstatus="pass" title="DTBI940-IE11-Scriptlets - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone 'Allow Scriptlets' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1209" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>1209</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46939" severity="medium" conversionstatus="pass" title="DTBI950-IE11-Status bar updates via script - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone 'Allow updates to status bar via script' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2103" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>2103</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46975" severity="medium" conversionstatus="pass" title="DTBI985-IE11-ActiveX controls in Enhanced Protected Mode" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel-> Advanced Page 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value "DisableEPMCompat" is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>DisableEPMCompat</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46981" severity="medium" conversionstatus="pass" title="DTBI990-IE11-Content from different domains across windows - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel-> Security Page-> Internet Zone 'Enable dragging of content from different domains across windows' must be 'Enabled', and 'Disabled' selected from the drop-down box. Procedure: Use the windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2709" is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>2709</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46987" severity="medium" conversionstatus="pass" title="DTBI995-IE11-Enhanced Protected Mode " dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel-> Advanced Page 'Turn on Enhanced Protected Mode' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value "Isolation" is REG_SZ = 'PMEM', this is not a finding.</RawString> <ValueData>PMEM</ValueData> <ValueName>Isolation</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-46995" severity="medium" conversionstatus="pass" title="DTBI356-IE11-Enhanced Protect Mode on 64-bit versions" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel -> Advanced Page 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value "Isolation64Bit" is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>Isolation64Bit</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46997" severity="medium" conversionstatus="pass" title="DTBI1046-IE11-Anti-Malware programs against ActiveX controls - Internet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel -> Security Page -> Internet Zone 'Don't run antimalware programs against ActiveX controls' must be 'Enabled' and 'Disable' selected in the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "270C" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>270C</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-46999" severity="medium" conversionstatus="pass" title="DTBI062-IE11-Anti-Malware programs against ActiveX controls - Intranet" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel -> Security Page -> Intranet Zone 'Don't run antimalware programs against ActiveX controls' must be 'Enabled' and 'Disable' selected in the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value "270C" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>270C</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-47003" severity="medium" conversionstatus="pass" title="DTBI426-IE11-Anti-Malware programs against ActiveX controls - Local Machine" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel -> Security Page ->Local Machine Zone 'Don't run antimalware programs against ActiveX controls' must be 'Enabled' and 'Disable' selected in the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Criteria: If the value "270C" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>270C</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-47005" severity="medium" conversionstatus="pass" title="DTBI1051-IE11-Anti-Malware programs against ActiveX controls - Restricted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel -> Security Page -> Restricted Sites Zone 'Don't run antimalware programs against ActiveX controls' must be 'Enabled' and 'Disable' selected in the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "270C" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>270C</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-47009" severity="medium" conversionstatus="pass" title="DTBI092-IE11-Anti-Malware programs against ActiveX controls - Trusted Sites" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel -> Security Page -> Trusted Sites Zone 'Don't run antimalware programs against ActiveX controls' must be 'Enabled' and 'Disable' selected in the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value "270C" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>270C</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-64711" severity="medium" conversionstatus="pass" title="DTBI1060-IE11-Managing SmartScreen Filter Warnings" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> ”Prevent bypassing SmartScreen Filter warnings” must be ”Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter. Criteria: If the value "PreventOverride" is REG_DWORD = 1, this is not a finding. </RawString> <ValueData>1</ValueData> <ValueName>PreventOverride</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-64713" severity="medium" conversionstatus="pass" title="DTBI1065-IE11-Managing SmartScreen Filter Warnings" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> ”Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the internet” must be ”Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter. Criteria: If the value "PreventOverrideAppRepUnknown" is REG_DWORD = 1, this is not a finding. </RawString> <ValueData>1</ValueData> <ValueName>PreventOverrideAppRepUnknown</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-64715" severity="medium" conversionstatus="pass" title="DTBI1070-IE11-Per-User ActiveX Controls" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> ”Prevent per-user installation of ActiveX controls” must be ”Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX. Criteria: If the value "BlockNonAdminActiveXInstall" is REG_DWORD = 1, this is not a finding. </RawString> <ValueData>1</ValueData> <ValueName>BlockNonAdminActiveXInstall</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-64717" severity="medium" conversionstatus="pass" title="DTBI1075-IE11-Prevent Ignoring Certificate Errors" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> ”Prevent ignoring certificate errors” must be ”Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings. Criteria: If the value "PreventIgnoreCertErrors" is REG_DWORD = 1, this is not a finding. </RawString> <ValueData>1</ValueData> <ValueName>PreventIgnoreCertErrors</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-64719" severity="medium" conversionstatus="pass" title="DTBI1080-IE11-Managing SmartScreen Filter-Internet Zone" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Internet Zone >> ”Turn on SmartScreen Filter scan” must be ”Enabled” and ”Enable” selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3. Criteria: If the value "2301" is REG_DWORD = 0, this is not a finding. </RawString> <ValueData>0</ValueData> <ValueName>2301</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-64721" severity="medium" conversionstatus="pass" title="DTBI1085-IE11-Managing SmartScreen Filter- Restricted Sites Zone" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Restricted Sites Zone >> ”Turn on SmartScreen Filter scan” must be ”Enabled” and ”Enable” selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4. Criteria: If the value "2301" is REG_DWORD = 0, this is not a finding. </RawString> <ValueData>0</ValueData> <ValueName>2301</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-64723" severity="medium" conversionstatus="pass" title="DTBI1090-IE11-Initialize and script ActiveX-Intranet Zone" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Intranet Zone >> ”Initialize and script ActiveX controls not marked as safe” must be ”Enabled” and ”Disable” selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1. Criteria: If the value "1201" is REG_DWORD = 3, this is not a finding. </RawString> <ValueData>3</ValueData> <ValueName>1201</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-64725" severity="medium" conversionstatus="pass" title="DTBI1095-IE11-Initialize and script ActiveX-Trusted Sites Zone" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Trusted Sites Zone >> ”Initialize and script ActiveX controls not marked as safe” must be ”Enabled” and ”Disable” selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2. Criteria: If the value "1201" is REG_DWORD = 3, this is not a finding. </RawString> <ValueData>3</ValueData> <ValueName>1201</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-64729" severity="medium" conversionstatus="pass" title="DTBI1100-IE11-Allow Fallback to SSL 3.0 (Internet Explorer)" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Security Features >> "Allow fallback to SSL 3.0 (Internet Explorer)" must be "Enabled", and "No Sites" selected from the drop-down box. If "Allow fallback to SSL 3.0 (Internet Explorer)" is not "Enabled" or any other drop-down option is selected, this is a finding. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings. Criteria: If the value "EnableSSL3Fallback" is REG_DWORD=0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>EnableSSL3Fallback</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-72757" severity="medium" conversionstatus="pass" title="DTBI1105-IE11-Run once selection for running outdated ActiveX controls must be disabled." dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>In the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Security Features >> Add-on Management, verify "Remove the Run this time button for outdated ActiveX controls in IE" is set to “Enabled”. Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext If the value "RunThisTimeEnabled" is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>RunThisTimeEnabled</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-72759" severity="medium" conversionstatus="pass" title="DTBI1110-IE11-Enabling outdated ActiveX controls for Internet Explorer must be blocked." dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>In the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Security Features >> Add-on Management, verify "Turn off blocking of outdated ActiveX controls for Internet Explorer" is set to “Disabled”. Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext If the value "VersionCheckEnabled" is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>VersionCheckEnabled</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-72761" severity="medium" conversionstatus="pass" title="DTBI1115-IE11-Use of the Tabular Data Control (TDC) ActiveX control must be disabled for the Interne" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Note: Only applies to Windows 10 version 1607 and higher and Windows Server 2016 systems. For other Windows versions, this check is Not Applicable. In the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Internet Zone, verify "Allow only approved domains to use the TDC ActiveX control" is “Enabled”. In the Options window, verify the “Only allow approved domains to use the TDC ActiveX control" drop-down box is set to “Enable”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "120c" is REG_DWORD = “3”, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>120c</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-72763" severity="medium" conversionstatus="pass" title="DTBI1120-IE11-Use of the Tabular Data Control (TDC) ActiveX control must be disabled for the Restric" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Note: Only applies to Windows 10 version 1607 and higher and Windows Server 2016 systems. For other Windows versions, this check is Not Applicable. In the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Restricted Sites Zone, verify "Allow only approved domains to use the TDC ActiveX control" is “Enabled”. In the Options window, verify the “Only allow approved domains to use the TDC ActiveX control" drop-down box is set to “Enable”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "120c" is REG_DWORD = “3”, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>120c</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-75169" severity="medium" conversionstatus="pass" title="DTBI1125-IE11-VBScript" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Internet Zone >> "Allow VBScript to run in Internet Explorer" must be "Enabled", and "Disable" must be selected from the drop-down box. Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 If the value for "140C" is not REG_DWORD = 3, this is a finding. Note: This policy setting will only exist on Windows 10 Redstone 2 or later, and is otherwise not applicable. </RawString> <ValueData>3</ValueData> <ValueName>140C</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-75171" severity="medium" conversionstatus="pass" title="DTBI1130-IE11-VBScript" dscresource="Registry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Restricted Sites Zone >> "Allow VBScript to run in Internet Explorer" must be "Enabled", and "Disable" must be selected from the drop-down box. Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 If the value for "140C" is not REG_DWORD = 3, this is a finding. Note: This policy setting will only exist on Windows 10 Redstone 2 or later, and is otherwise not applicable. </RawString> <ValueData>3</ValueData> <ValueName>140C</ValueName> <ValueType>Dword</ValueType> </Rule> </RegistryRule> </DISASTIG> |